Snort mailing list archives
can ACID be configured to show packets that does not meet any alerts?
From: "loveshinobi" <loveshinobi () yahoo com>
Date: Tue, 4 Dec 2001 09:56:31 +0800
hi all, now i noe tat ACID can show me the payload of a packet that triggers the alert in my ruleset. the thing is sometimes i feel tat showing the contents of only 1 (the offending) packet is not enuf. i want to show the payloads of the offending packet + the next (say) 5 packets after the offending packet (say for the purpose of investigation). i noe that by using the activate/dynamic rule, i can configure snort to log down the next 5 packets after the first offending packet matches the signature of an alert. question is, how will this show up in ACID? the thing is that the 2nd to 6th packet no longer matches any alerts... can i still see them in ACID? if not, how do i configure ACID so that i can see them as well... i realise that i can experiment and then see the results but... i am in the midst of re-installing ACID with SSL but there's something error going on and i can't get it up and sigh! my boss wants an answer about this issue fast so i hv no choice but to email the list... apologies people if this seems a dumb question... cheers! _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can ACID be configured to show packets that does not meet any alerts? loveshinobi (Dec 03)